21 Nov 2006

I spoke at an ID card event the other day. Dave Birch also spoke and had this fantastic quote on one of his slides. I liked it so much I had to blog about it, even though I don’t really have anything to link it to (other than the crazed attitude of the current government, that is):

They constantly try to escape
From the darkness outside and within
By dreaming of systems so perfect
that no one will need to be good.

17 Nov 2006

I had a lot of fun at the Open Source Jam last night, even if I couldn’t drink because I was on my motorbike. The lightning talks were more lightning than I’ve ever seen before – even though we limited people to three minutes, most people were done in just one – a quick introduction to their project de jour and then on to the next one.
One project that really grabbed my interest was by Nature: Second Nature, an area in Second Life where science stuff meets VR. Or perhaps, given that another thing we discussed was the control of teledildonics via Second Life, where science meets sex.

Comments Off on Second Nature

14 Nov 2006

According to the Telegraph, the Tories will introduce a Government Spending Transparency Bill, which will put all spending over Â£25,000 online. Except “where related to national security” – expect the sudden discovery that almost everything is related to national security.

If it gets through, I think this will lead to some absolutely fascinating mashups.

8 Nov 2006

A while back, I posted about Ontario’s love affair with Cardspace (I notice, btw, that Ann Cavoukian is so hip to this ‘net thing that she’s broken the link to her white paper, which is now here – confidence inspiring). In that post, I said that there was a false claim that the laws were “developed through an open consensus process”.

Kim, being a smart guy, responded thusly

there were many people who interacted with me when I was articulating the laws. I listed them all in the laws – and no one asked not to be mentioned, so far! Iâ€™ve actually been under the impression that there is general consensus that the laws move us forward. EVen you seem to agree.

So I donâ€™t get your point. You donâ€™t want people like Anne Cavoukian to get involved? You donâ€™t think the laws are a good handle for doing so? You donâ€™t think the laws have had a defining role in the emergence of user centric approaches? Or are you arguing that there is no consensus because we didnâ€™t take a formal vote?

I actually thought the laws were a good way for the privacy community to hook up with those of us doing identity.

This strikes me as a politician’s response. I didn’t say there wasn’t a consensus that the laws move us forward. I didn’t say I disagreed with them. I didn’t say Anne Cavoukian should not get involved. I didn’t say the laws were a bad handle for involvement. I didn’t say that the laws have not had a defining role. I didn’t say there was no consensus because we didn’t vote.

What I did say is that the laws were not evolved through an open consensus process. Kim wrote them down. Many people said they were cool, including me. Kim may have made minor changes in response to discussion, but they are not the result of some kind of groupthink.

For example, I have often pointed out that the laws do not include the requirement for unlinkability but they have not been updated to include it (presumably either because Kim doesn’t think its a requirement, or, perhaps more realistically, because Cardspace does not support unlinkability). I and others have pointed out that law 4 is practically unreadable on its own – what are “omnidirectional” and “unidirectional” identifiers? Indeed, what are “public” and “private” entities – now I think about it, this law needs serious redrafting to make any sense.

Kim also says I should read Cavoukian’s version of the laws, and he’s right. She’s redrafted law 4 rather well:

A universal identity metasystem must be capable of supporting a range of identifiers with varying degrees of observability and privacy. Unidirectional identifiers are used by the user exclusively for the other party, and support an individualâ€™s right to minimize data linkage across different sites. This is consistent with privacy principles that place limitations on the use and disclosure of oneâ€™s personal information. At the same time, users must also be able make use of omnidirectional identifiers provided by public entities in order to confirm who they are dealing with online and, thereby ensure that that their personal information is being disclosed appropriately. To further promote openness and accountability in business practices, other types of identifiers may be necessary to allow for appropriate oversight through the creation of audit trails.

I’m particularly interested by “unidirectional identifiers are used by the user exclusively for the other party, and support an individualâ€™s right to minimize data linkage across different sites” – in other words, she recognizes the need for unlinkability. And its true that unidirectional identifiers support the right to minimize data linkage – but they don’t achieve it on their own, and this is where Cardspace currently falls down – unidirectional credentials are issued through a process that is entirely linkable. Unlinkability is achieved only if everyone agrees not to link.

Kim also says that no-one has asked to be removed from his list of “contributors”. This is totally unsurprising – many of them have a vested interest in staying friendly with Microsoft – but I know from private communications that not all of them actually agree that they have contributed.

Kim could easily refute my claim with facts rather than rhetoric. All he needs to do is point to the “wide-ranging conversation documented at www.identityblog.com” and show how his laws evolved through that conversation. I’ve looked – indeed, I’ve followed the discussion – and I haven’t found any evidence at all that supports this claim, let alone contributions by each of the listed people.

Incidentally, I notice that Kim links to practically every blog out there that talks about identity – but not mine. Is that because he doesn’t want to link to anyone that’s not 100% positive about Cardspace?

Not exactly news, but apparently our Information Commissioner, Richard Thomas, has realised that we now live in a surveillance society. Apparently he’d like us to talk about what’s OK and what’s not. As if we hadn’t been.

As ever-more information is collected, shared and used, it intrudes into our private
space and leads to decisions which directly influence peopleâ€™s lives. Mistakes can
also easily be made with serious consequences â€“ false matches and other cases of
mistaken identity, inaccurate facts or inferences, suspicions taken as reality, and
breaches of security. I am keen to start a debate about where the lines should be
drawn. What is acceptable and what is not?

I suppose its progress, even if of a rather 20th century kind.

The report itself has some sensible things to say

A third concern regard technologies is that many argue (mistakenly, as
we shall see) that anxieties about surveillance society may be allayed by
technical means. Certainly, some so-called privacy-enhancing technologies
serve well to curb the growth of technological surveillance (PETs) and their use
should be encouraged where appropriate. But these are at best only ever part of
the answer. We are correct to be wary of any offers to fix what are taken to be
technical problems with technical solutions. As we shall see, the real world of
surveillance society is far to complex for such superficial responses.

This is significant because previous attacks on MD5 gave essentially no control over the content of the colliding messages (that is, you can choose a common initial string, and then you get no control over the parts that differ between the two messages), whereas this one allows you to construct two completely different first parts and then append stuff that causes a collision.

Because its generally possible to find parts of a message that can be freely chosen (the field they use in the X.509 certificate is the modulus of the public key – another example they give is a word document with embedded graphics near the end) this gives a far more potent attack than previously available. Note that because the method is insensitive to intial hash values there\’s no requirement that the two initial parts match in any way at all – they can be different lengths and different content. Clearly there are some constraints due to block alignment – but I\’ll bet even those could be removed. So, in short, you can get pretty much anything to collide.

The first is that FreeBSD has long used Perforce (a commercial version control system) as its “main” version control system – CVS is slaved to it. Of course, FreeBSD is a free software project, so that choice of VCS is interesting. Apparently the core reason is branch management. Firstly, if you try to branch the FreeBSD tree (which is, of course, huge) in CVS, then your machine goes away for a couple of months. Literally. Secondly, CVS doesn’t really understand branches. You can’t continuously merge branch A into branch B – which you can in Perforce. Back when Perforce was selected to replace CVS, there weren’t really any other free VCSes, btw.

Secondly, FreeBSD, being right-thinking people, are thinking about moving back to an open source VCS, now that so many are available. I was interested to discover that a key stumbling block is “obliteration”: when someone commits something they shouldn’t have to the tree often it is good enough to later delete it. But sometimes there is an insistence that the offending material should not just be removed from the head of the tree, but should be completely obliterated from the repository – preventing its recovery from the VCS at all. Not surprisingly, many VCSes do not support obliteration, since the concept is diametrically opposed to a core requirement for version control, namely that I should always be able to recover the tree as it appeared at any point in the past. Perforce, I am told, supports obliteration, and CVS can be persuaded to do it (anyone who’s run a CVS repo will know you can do this by blowing away the corresponding file in the repo itself: ugly, but it works).

Its interesting to think through what obliteration does to a version control system. One obvious consequence is that if you try to retrieve the tree at any point in the period spanned by the obliteration, then you will not get a complete tree back. In a perfect VCS, what would one do about this? I guess you’d have to allow editing of history to permit the tree to be put back “the way it should have been”.

Sometimes its architecturally difficult for the VCS to accomodate obliteration, too. Monotone, for example, expects to always be able to reconstruct a hash chain back to the beginning of time. If you obliterate a file, its ability to construct that chain has gone. Of course, workarounds for this are easy to think of: one could, for instance, include a proxy for the obliterated file which just said what its hash used to be (note that if we ever lose preimage resistance for hash functions this could prove to be a conundrum!).

Patients will have data uploaded … Patients do not have the right to say the information cannot be held.

But that’s OK, because

Once uploading has taken place, a government PR blitz will follow. This will be said to bring about “implied consent” to allow others view the data. Those objecting will be told that their medical care could suffer.

I’m so relieved. I don’t even have to think about whether I agree with the government anymore. They can figure out what I think just by advertising! Isn’t that great? Perhaps we should replace those pesky elections with advertising, life would be so much easier. I’m sure we’re all happy with giving our “implied consent” to Blair as dictator-for-life, aren’t we?